The Federal Commissioner for the Records of the State Security Service of the Former German Democratic Republic (BStU) takes the protection of personal data very seriously. We want you to know when we collect data and how we use it. We have taken technical and organisational measures to ensure that the data privacy rules are observed not only by our agency, but also by external service providers.
Jump to content
The Federal Commissioner for Stasi Documents (BStU), as an authority of the Federal Republic of Germany without legal capacity, operates an internet site under the domain www.bstu.de on which he informs the public about his activities and about the structure, methods and mode of operation of the State Security Service of the former GDR.
The Stasi Records Act (StUG) serves as the basis for access to Stasi files.
We will only process personal data to the extent necessary. Which data is required and processed, and to which purpose and on what basis, depends largely on the type of service you use or on the purpose for which it is needed.
We have taken technical and organisational measures to ensure that data privacy rules are observed not only by our agency, but also by external service providers.
The processing of personal data is carried out in accordance with the European General Data Protection Regulation (EU DSGVO) and the Federal Data Protection Act (BDSG).
General Provisions and Definitions
Responsibility and Data Protection Representative
Responsibility for the processing of personal data lies with the authority of the
Federal Commissioner for the Records of the State Security Service of the GDR
Specific questions regarding the protection of your data should be directed to the data protection representative at the BStU:
The Federal Commissioner for the Stasi Records Data Protection Representative Karl-Liebknecht-Straße 31/33 10178 Berlin
Postal Address: BStU 10106 Berlin
Personal data is all information relating to an identified or identifiable natural person. An identifiable person is a natural person who can be identified directly or indirectly - in particular by assignment to an identification such as a name, an identification number, location data or an online identification.
Protection of Minors
Persons under the age of 16 should not transmit any personal data to us without the consent of their parents or legal guardians. The data will not be transferred to third parties.
Legal Basis for Processing Personal Data
The BStU processes personal data in the performance of its public interest duties. The public tasks of the BStU also include public relations work, including the provision of information for the public on this website. The legal basis for processing is Art. 6 para. 1 lit. e of the General Data Protection Regulation of the EU (DSGVO) in conjunction with the corresponding national or European task standard or in conjunction with § 3 of the BDSG. In individual cases in which the processing of personal data is necessary to fulfil a legal obligation, Art. 6 para. 1 lit. e of the DSGVO in conjunction with the corresponding legal provision from which the legal obligation is derived, shall also serve as the legal basis.
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a of the DSGVO serves as the legal basis.
In the processing of personal data required for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b of the DSGVO also serves as the legal basis in individual cases. This also applies to processing operations that are necessary to carry out pre-contractual measures. As a contracting party under civil law, the BStU is particularly active in the area of personnel recruitment and procurement.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) of the DSGVO serves as the legal basis.
Data Processing in Conjunction with a Visit to this Internet Site
Every time a user accesses our website or downloads a file, data about this activity is processed temporarily in a log file.
Specifically, the following data is stored about each access or retrieval:
Date and time of the request (time stamp), as well as the IP address of the accessing device or server
Name of the retrieved file and transferred data volume (requested URL incl. query string, size in bytes)
Message on whether the request was successful (HTTP status code)
On the basis of Article 6 paragraph 1 lit. e of the EU General Data Protection Regulation (DSGVO) in conjunction with § 5 of the BSI Act, we are obligated to store data beyond the time of your visit for protection against attacks on the internet infrastructure of the BStU and the communication technology of the federal government. This data is analysed and, in the event of attacks on communications technology, is required to initiate legal and criminal prosecution. The data will be deleted as soon as it is no longer needed to fulfil the task.
Data logged when accessing the BStU's website will only be transmitted to third parties if we are legally bound to do so or if disclosure is required for legal or criminal prosecution in the event of attacks on the federal government's communication technology. Data will otherwise not be passed on. The BStU does not merge this data with other data sources.
Furthermore, we note expressly that when a user of the BStU website engages in active use of the services provided by YouTube that have been integrated into the website by the BStU, such as by playing a video on the website, the YouTube service provider stores the BStU visitor’s data according to its own data usage guidelines and uses it for its business purposes. The BStU has no influence on data collection and further use by YouTube. Thus, we cannot provide any information about the extent, location and duration of data storage, the extent to which the network fulfils existing deletion obligations, which assessments and links are made with the data and to whom the data is transferred.
Brochures and books can be ordered through our publication pages. During this process cookies are used, which are valid for the duration of the visit to the website. This is necessary for technical reasons for the function of the shopping cart. This is done on the basis of Art. 6 para. 1 lit. e of the DSGVO in conjunction with § 3 of the Federal Data Protection Act in the context of public relations work for the demand-oriented provision of information on the tasks assigned to the BStU.
Session cookies are small pieces of information that a provider stores in the main memory of the visitor’s computer. A randomly generated unique identification number, a so-called session ID, is stored in a session cookie. A cookie also contains information about its origin and the storage period. These cookies cannot store any other data. Your orders are compiled in your shopping cart using the session ID.
The session cookies used are deleted when you end the session. When you close the browser, your shopping cart is reset. If you end the session without completing the ordering process, the contents that you entered into the shopping cart up to that point must be reordered.
You can use any internet browser to view cookies and their contents. Detailed information is available on the website of the Federal Commissioner for Data Protection and Freedom of Information and the Federal Office for Information Security.
We do not use persistent cookies, which are stored as text files on the hard disk of the visitor’s computer to allow visitors to be recognized at a later time.
Most browsers are set automatically to accept cookies. However, the storage of cookies can be deactivated or the browser can be set so that cookies are only stored for the duration of each connection to the internet.
If you reject all cookies, the shopping cart cannot be used to order different publications and you will only be able to order one brochure at a time.
On the basis of Art. 6 para. 1 lit. e of the DSGVO in conjunction with § 3 of the Federal Data Protection Act, the BStU evaluates usage information for statistical purposes within the context of public relations work and for the demand-oriented provision of information on the tasks performed by the BStU.
This is carried out by the web analysis service Awstats/Matomo/PIWIK.
When individual pages of our website are accessed, the following data is stored:
Two bytes of the IP address of the user’s calling system (anonymous)
The accessed web page
The website from which the user accessed the website (referrer)
The subpages that are accessed from the website
The length of stay on the website
The frequency with which the website is accessed
No cookies are set on the user’s computer as part of our web analysis. The data will not be transferred to third parties.
If you also do not wish to consent to the completely anonymous storage and evaluation of data from your visit, you may object to the storage and use by mouse click at any time. In this case, an opt-out cookie is stored in your browser, which means that Awstats/Matomo/PIWIK will no longer collect any session data.
Note: If you delete your cookies, the opt-out cookie will also be deleted and you may have to reactivate it.
Processing Personal Data within the Context of Establishing Contact
The processing of personal data depends on what form of contact is used. There are differences between contacting us by e-mail, contact form, letter or telephone.
Contacting the BStU by E-Mail
In addition to using the staffs’ personal business e-mail addresses and various function mailboxes, it is also possible to send an email to the BStU using this central e-mail address: E-Mail an: firstname.lastname@example.org" href="mailto:email@example.com">firstname.lastname@example.org
If you use one of the above channels of contact, your e-mail address and any other data you transmit (e.g. last name, first name, address), as well as the information contained within the e-mail (including any personal data you provide) will be stored for the purpose of contacting and processing your request in accordance with the deadlines of the registration guideline applicable to the storage of documents.
We note explicitly that the processing of data is based on Article 6 paragraph 1 lit. e of the DSGVO in conjunction with § 3 of the BDSG. It is necessary to process the personal data you transmit in order to process your request.
E-Mail Addresses not Related to the BStU
The BStU website also contains third-party e-mail addresses. These addresses do not end with “bstu.bund.de” after the @. If you use one of these addresses to contact us, the BStU will not be responsible for the processing of personal data. Should you have any questions regarding the handling of your personal data by this third party, please contact them directly.
Using the Contact Form to Contact the BStU
You can use the form on this website to contact the BStU’s internet editorial office. The contents of the contact form are transmitted via an encrypted https connection.
You must provide your first and last name and e-mail address to use the contact form for communication. Without this data, your request sent via the contact form cannot be processed. Providing a telephone number is optional and enables us - if you wish - to contact you with any questions we may have. The date and time of your inquiry and your IP address will also be transmitted to us.
If we receive a message from you via the contact form or an e-mail, we will assume that we are entitled to reply by e-mail. You must otherwise expressly inform us of another form of communication.
We wish to note that the processing of data transmitted through use of the contact form and its content (which may also contain personal data transmitted by you) is carried out on the basis of Article 6 paragraph 1 lit. a of the DSGVO for the purpose of processing your request.
When using the contact form, the sender’s IP address is recorded. By submitting the contact form, you consent to the transmission and storage of your personal data as well as the IP address in accordance with Art. 6 paragraph 1 letter a) of the DSGVO. Processing and temporary storage of personal data serves to answer your inquiry within the scope of Article 17 of the Basic Law. The IP address is used exclusively within the context of national law enforcement and security measures in compliance with legal requirements.
Processing is carried out by the employees of the internet editorial office. The internet editorial staff stores your data only to process your request and in accordance with legal and contractual requirements. If your request cannot be processed in the internet editorial office, it will be forwarded to the relevant specialist departments or to the citizens’ advisory office.
You may cancel the contact process at any time if you do not agree to the processing of your data. Your message will not be sent.
Contact by Telephone
If you contact an employee by phone, personal data about you will be processed insofar as this is necessary to fulfil your request.
Processing Personal Data in the Context of a Request to View Files
The following data will be read from your identification card in order to properly process your online request to view files.
Date of Birth
Place of Birth
Name at Birth
We collect, process and use this data only to the extent necessary to fulfil the task. We strictly adhere to the provisions of the General Data Protection Regulation (DSGVO) and the Federal Data Protection Act (BDSG). This data will not be transferred to third parties. This data will also be used exclusively for the purpose of enabling your online access using your identification card. By clicking on the link “submit online application,” you consent to this procedure.
Processing Personal Data in the Context of Using Social Networks
The BStU is active in the social networks Facebook, Twitter, Instagram and YouTube.
To fulfil editorial tasks in these social networks, the BStU processes the data of individuals who interact with the BStU. This requires temporary data storage by a service provider. The data is stored on a server located in the European Union: profile and account names and content of the request. This data is stored.
We note that the processing of data is based on Article 6 paragraph 1 lit. e of the DSGVO in conjunction with § 3 of the BDSG. It is necessary to process the personal data you transmit to process your request.
In addition, we wish to stress that these services store the data of their users (e.g. personal information, IP address, etc.) in accordance with their data usage guidelines and use them for business purposes. The BStU has no influence on data collection and its further use by social networks. There is no information on the extent, location and duration of data storage, the extent to which networks comply with existing deletion obligations, which assessments and links are made with the data and to whom the data is transferred.
Because Facebook (and Instagram), Twitter and YouTube are non-European companies with a European office only in Ireland, they are not bound by German data protection regulations in their own reading. This affects, for example, your rights to information, blocking or deletion of data or the possibility to refuse to have your data used for advertising purposes.
Processing Personal Data in the Context of Providing Information
To what degree personal data is processed depends on what form of information is provided. A distinction is made between our sending of the newsletter and other publications.
Data for Sending the Newsletter
If you register for the e-mail newsletter, we receive your e-mail address. It will be used exclusively to send you the BStU newsletter regularly. You provide your consent to this when you enter your e-mail address. For this purpose, your e-mail address will be transmitted via the software newsletter2go GmbH, the provider we use to send the newsletter. The data will be processed on the basis of your consent in accordance with Article 6(1)(a) of the DSGVO. We use this data exclusively for sending newsletters and for statistical evaluations to analyse system performance. We do not pass your data on to third parties and do not use it for any other purposes of our own. On basis of § 11 of the BDSG, the company is assigned with the dispatch of our newsletter. Further information about this company can be found here:
You can unsubscribe from the newsletter at any time and thus automatically revoke your consent to the use of your data. You will find a link for this at the end of each newsletter. The registration system with an additional confirmation message containing a link to the final registration (double opt-in) ensures that you specifically requested to receive the newsletter.
During registration your data will be stored on our server and a confirmation message will be generated with a link for the final registration to the specified e-mail address. The data will be deleted after 48 hours if you do not confirm the registration by the link in this e-mail.
Only by confirming the link in the e-mail will your data be saved for the period in which you receive our newsletter.
If you no longer agree to the storage of the data for this purpose and therefore no longer wish to use our offer, you can unsubscribe from our newsletter at any time. The data you provide will be deleted. Please follow this link to unsubscribe. To do this, you must have the e-mail address you provided at the time of registration.
If you order publications via this website, it is necessary to process your personal data to carry out pre-contractual measures and to fulfil the contract (provision of products) in accordance with Article 6 paragraph 1 letter b of the DSGVO.
In order to process the order, the following personal data must be provided:
Street, house number
Postal code, place and country
This data is processed within the framework of the order. If the aforementioned data is not available, the order cannot be processed. The additional information, such as first name, institution and telephone number, are not required for processing, but may be used to enable better processing of the order.
Written documents that arise during the processing of the order will be kept for five years. This period is based on administrative regulations for payments, bookkeeping and accounting (§§ 70 to 72 and 74 to 80 BHO (VV-BBR BHO, no. 4.7)).
We delete further data after the storage is no longer necessary or limit the processing if legal storage obligations exist.
You have the following rights vis-à-vis the BStU with regard to your personal data:
- Right to information, Art. 15 of the DSGVO
The right of access gives the data subject a comprehensive view of the data concerned as well as other important criteria such as the purposes of processing or the duration of storage. The exceptions to this right regulated in § 34 of the BDSG apply.
- Right to correction, Art. 16 DSGVO
The right to correction includes the possibility for the data subject to have incorrect personal data that concerns him/her corrected.
- Right to deletion, Art. 17 of the DSGVO
The right to deletion includes the data subject’s right to have data deleted by the person responsible. However, this is only possible if the personal data concerned is no longer necessary, is processed illegally or if consent has been revoked. Exceptions to this right regulated in § 35 of the BDSG apply.
- Right to limitation of processing, Art. 18 of the DSGVO
The right to limitation of processing includes the possibility for the data subject to prevent further processing of the concerned personal data for the present time. A restriction occurs above all in the examination phase of other rights exercised by the person concerned.
- Right to object to the collection, processing and/or use, Art. 21 of the DSGVO
The right to object includes the possibility for data subjects to object to the further processing of their personal data in a particular situation, insofar as this is justified by the performance of public duties or public or private interests. The exceptions to this right regulated in § 36 of the BDSG apply.
- Right to data transferability, Art. 20 of the DSGVO
The right to data transferability includes the possibility for the data subject to receive the personal data concerned in a common, machine-readable format from the data controller in order for it to be forwarded to another data controller if necessary. According to Art. 20 para. 3 sentence 2 of the DSGVO, however, this right is not available if data processing serves the performance of public tasks.
- Right to revoke consent, Articles 13 and 14 of the DSGVO
If the processing of personal data is based on consent, the data subject may revoke this consent at any time for the relevant purpose. The legality of the processing based on the consent given remains unaffected until receipt of the revocation.
You can assert the rights listed above in writing using aforementioned channels of communication.
In accordance with Art. 77 of the DSGVO, you also have the right to appeal to the data protection supervisory authority, the Federal Commissioner for Data Protection and Freedom of Information.
If you have any questions or complaints, you can also contact the data protection representative at the BStU.